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Abstract 

The concept of universal designated verifier signatures was introduced by Stcinfcld, Bull, 
Wang and Picprzyk at Asiacrypt 2003. These signatures can be used as standard publicly 
verifiable digital signatures but have an additional functionality which allows any holder of 
a signature to designate the signature to any desired verifier. This designated verifier can 
check that the message was indeed signed, but is unable to convince anyone else of this fact. 
We propose new efficient constructions for pairing-based short signatures. Our first scheme is 
based on Bonch-Boyen signatures and its security can be analyzed in the standard security 
model. We prove its resistance to forgery assuming the hardness of the so-called strong 
Diffie-Hcllman problem, under the knowledge-of-exponent assumption. The second scheme 
is compatible with the Boneh-Lynn-Shacham signatures and is proven unforgcable, in the 
random oracle model, under the assumption that the computational bilinear Diffie-Hcllman 
problem is untractable. Both schemes are designed for devices with constrained computation 
capabilities since the signing and the designation procedure arc pairing-free. Finally, we 
present extensions of these schemes in the multi- user setting proposed by Desmedt in 2003. 

Keywords: pairing-based cryptography, designated verifier signature, security analysis 

1 Introduction 

Recently many universal designated verifier signature protocols have been proposed (e.g. 
[20j 123] ). The present paper focuses on the proposal of two new efficient constructions for 
pairing-based short signatures [U [5] and on the security treatment of them. The resistance to 
forgery of the first scheme relies on the hardness of the strong Diffie-Hellman problem, under the 
knowledge-of-exponent assumption, in the standard security model, and the one of the second 
scheme relies, in the random oracle model, on the hardness of a new computational problem 
(not easier than the widely used computational bilinear Difhe-Hellman problem). 



1.1 Related work. 

Many cryptographic primitives have been proposed to limit the self- authenticating property of 
digital signatures. The primary one: undeniable signatures - introduced by Chaum and van 
Antwerpen in 1989 [B] - appeared to have some weaknesses. The concept of designated verifier 

*This is the full version of "New Extensions of Pairing-based Signatures into Universal Designated Verifier 
Signatures" [22] presented at ICALP'06. 
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signatures was introduced by Jakobsson, Sako and Impagliazzo [TT] in order to repair their so- 
called lie detector problem. Designated verifier signatures are intended to a specific and unique 
designated verifier, who is the only one able to check their validity. Motivated by privacy issues 
associated with dissemination of signed digital certificates, Steinfeld, Bull, Wang and Pieprzyk 
[20] defined, in 2003, a new kind of signatures called universal designated-verifier signatures 
(UDVS). This primitive can function as a standard publicly- verifiable digital signature scheme 
but has an additional functionality which allows any holder of a signature to designate the 
signature to any verifier. Again, the designated-verifier can check that the message was signed 
by the signer, but is unable to convince anyone else of this fact. Designated verifier signatures 
(universal or not) have found numerous applications in financial cryptography (e.g. call for 
tenders, electronic voting, electronic auction or distributed contract signing). 

Steinfeld et al. proposed an efficient UDVS scheme constructed using any bilinear group- 
pair. In collaboration with Laguillaumie, we suggested in [Hj a variant which significantly 
improves this protocol. Both schemes are compatible with the key-generation, signing and 
verifying algorithms of the Boneh-Lynn-Shacham [5] signature scheme (BLS). In [3J, Boneh and 
Boyen proposed efficient pairing-based short signatures (BB) whose security can be analyzed in 
the standard security model. A UDVS scheme compatible with a variant of Boneh and Boyen's 
scheme has been proposed by Zhang, Furukawa and Imai [23j . 

1.2 Contributions of the paper. 

The main contribution of the paper is to provide a new efficient UDVS protocol compatible 
with the original Boneh-Boyen scheme. The idea underlying our design relies on the flexibility 
of BB signatures and specifically on their good behaviour under scalar multiplication. The new 
scheme, that we call UDVS-BB, is unforgeable in the standard security model assuming the 
hardness of the strong Diffie-Hellman problem [3], under the knowledge-of-exponent assump- 
tion (KEA) [21 [8]. The protocol proposed by Zhang et al. is proven unforgeable assuming 
the hardness of the same algorithmic problem, but under an additional assumption (which is 
stronger than KEA). The security of UDVS-BB can also be proved under a well-defined (though 
ad hoc) computational problem without using any non-black-box assumption (such as KEA). 
The computational workload of UDVS-BB amounts to three exponentiations over bilinear groups 
for designating a signature and four pairing evaluations to verify it, and moreover, the length 
of the signatures is much smaller than the one of Zhang et a/.'s signatures. Following the gen- 
eral paradigm from [13], this scheme is readily extended to produce universal multi designated 
verifier signatures (UMDVS) [16] that are verifiable in a non-interactive way. The multi-user 
scheme inherits the efficiency properties of UDVS-BB with the same signature size (which, in 
particular, does not grow with the number of verifiers). 

Using the same design principle, we propose a new UDVS protocol compatible with the 
BLS signatures which is well-suited for devices with constrained computation capabilities and 
low bandwidth. Indeed the designation procedure of the signatures is pairing-free and the 
resulting size is comparable to the length of DSA signatures. The proof of security for this 
scheme, that we called UDVS-BLS, takes place in the random oracle model [3]: we show that 
this scheme is unforgeable with respect to a new computational assumption weaker than the 
widely used computational bilinear Diffie-Hellman assumption. In some cases [11} [T3] it may be 
desirable that UDVSs provide a stronger notion of privacy. The scheme UDVS-BLS provides this 
security requirement assuming the hardness of the xyz-decisional co-Diffie Hellman problem. It 
is possible to extend this scheme into a UMDVS one. 
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2 Definitions 



2.1 Notations 

The set of n-bit strings is denoted by {0, l} n and the set of all finite binary strings is denoted 
by {0,1}*. Let A be a probabilistic Turing machine running in polynomial time (a PPTM, 
for short), and let x be an input for A. The probability space that assigns to a string a the 
probability that A, on input x, outputs a is denoted by A(x). The support of A(x) is denoted 
by A[x]. Given a probability space S, a PPTM that samples a random element according to 

S is denoted by x <— S. For a finite set X, x X denotes a PPTM that samples a random 
element uniformly at random from X. 

2.2 Universal designated verifier signatures 

In this subsection, we recall the definitions of UDVS schemes and of their security requirements 

Hang. 

2.2.1 Syntactic definition 

Definition 1 A universal designated verifier signature scheme E is an 8-tuple 
E = (Setup, SKeyGen, VKeyGen, Sign, Verify, Designate, Fake, DVerify) 

such that 

• (Setup, SKeyGen, Sign, Verify) is a signature scheme: 

— E. Setup is a PPTM which takes an integer k as input. The output are the public 
parameters V . k is called the security parameter. 

— E. SKeyGen is a PPTM which takes the public parameters as input. The output is a 
pair (sk s , pk s ) where sk s is called a signing secret key and pk s a signing public key. 

— T,.Sign is a PPTM which takes the public parameters, a message, and a signing secret 
key as inputs and outputs a bit string. 

— J]. Verify is a PPTM which takes the public parameters, a message m, a bit string a 
and a signing public key pk s . It outputs a bit. If the bit output is 1 then the bit string 
a is said to be a signature on m for pk s . 

• E. VKeyGen is a PPTM which takes the public parameters as input. The output is a pair 
(sk v , pk v ) where sk v is called a verifying secret key and pk v a verifying public key. 

• E. Designate is a PPTM which takes the public parameters, a message m, a signing public 
key pk s , a signature a on m for pk s and a verifying public key as inputs and outputs a bit 
string. 

• Ti.Fake is a PPTM which takes the public parameters, a message, a signing public key and 
a verifying secret key as inputs and outputs a bit string. 

• E. DVerify is a deterministic PPTM which takes the public parameters, a message m, a bit 
string t, a signing public key pk s , a verifying public key pk v and the matching verifying 
secret key sk v as inputs. It outputs a bit. If the bit output is 1 then r is said to be a 
designated verifier signature on m from pk s to pk v . 
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E must satisfies the following properties, for all k G N, all V G E.Setivp[/c], a// (pk s ,sk s ) £ 
E.SK'eyGenf'P], a// (pk v ,sk v ) G E. VKeyGenfP] ctnci all messages m: 

• Correctness of Signature: 

Vcj G S.S/gn[P,m,sk s ], E. Verify[V, m, cr, pk s ] = {1}. 

• Correctness of Designation: 

Vcr G S.S/g'nf'P, m, sk s ], Vr G E. Designate[V, m, pk s , cr, pk v ], 
T,.DVerify[V, m, r, pk s , pk v , sk v ] = {1}. 

• Source Hiding: 

Y,.Designate(V, m, pk s , Y,.Sign(V : m, sk s ), pk v ]) = Y,.Fake(V, m, pk s , sk v ). 

The correctness properties insure that a properly formed (designated verifier) signature is always 
accepted by the (designated) verifying algorithm. The source hiding property states that given 
a message m, a signing public key pk s , a verifying public key pk v and a designated verifier 
signature r on m from pk s to pk v it is (unconditionally) infeasible to determine if r was produced 
by E. Designate or E.Fake. 

2.2.2 Security requirements 

In this section, we state the definitions of unforgeability and privacy of signer's identity under 
a chosen message attack that were introduced in [14^ 120] . 

In the following E = (Setup, SKeyGen, VKeyGen, Sign, Verify, Designate, Fake, DVerify) denotes 
a UDVS scheme. 

Resistance to forgery. The accepted definition of security for signature schemes is existential 
unforgeability under adaptive chosen message attack [TO]. The notion of UDVS-EF-CMA-security 
[14[ 120] is a natural extension of this to the UDVS setting. 

It is defined via a random experiment parameterized by a security parameter k. The ex- 
periment involves an adversarial user A and is as follows: first two public/secret key pairs for 
the signer and the verifier are generated by running the key generation algorithms. Then A 
engages in polynomially many runs of the signing oracle, the verifying oracle and - possibly - 
the random oracle, interleaved at its own choosing. Eventually, A outputs a pair (m*, r*), such 
that m* was never queried to the signing oracle, and it wins if the verifying oracle returns 1 
when queried on this pair. 

Definition 2 Let A be a PPTM. We consider the following random experiments, where k G N 
is a security parameter: 

Experiment Exp^ s - EF - CMA (fc) 
V £ Z.Setup(k) 

(sk s , pk s ) 4^ Z.SKeyGen(V) ; (sk v , pk v ) 4- Z.VKeyGen(V) 
( m * r *) ^^ e ^(p,pk s ,pk v ) 

6 : m — > Y,.Sign(V, m, sk s ); C <— C U {m} 
: (m, r) — ■» E.DVerify(V,m,T, pk s , pk v ,sk v ) 
return 1 if T,.DVerify(V, m*,T*, pk s , pk v , sk v ) = {1} and m* £ 
otherwise. 
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Let r, gg, G N N , e G [0, 1] N . We define the success o/.A via 

SUCC^S-EF-CMA^) = p r[Exp UDVS-EF-CMA (A;) = ^ 

L ^ is a (r,g s ,02j)-UDVS-EF-CMA-adversary if for all k G N, i/te experiment Exp^ s ~ EF " CMA (» 

ends in expected time less than r(fe) and in i/iis experiment A makes at most q&(k) 
(resp.q^(k)) queries to the oracle & (vesp.%3). 

2. £ is (r, ge, g*u, e)-UDVS-EF-CMA-secure i/ /or any (t, q&, q^-UDVS-EF-CMA-adversary 
A and any k G N, Succ^ s - EF - CMA (A;) < e(jfe). 

This definition does not capture that the adversary cannot generate a new signature on a 
previously signed message (the so-called strong unforgeability). 



Privacy of signer's identity. As explained in [TT], in some cases, it may be desirable that 
designated verifier signatures provide a stronger notion of privacy. More precisely, given a 
designated verifier signature and two potential signing public keys, it should be computationally 
infeasible for an eavesdropper, to determine under which of the two corresponding secret keys 
the signature was performed. The privacy of signer's identity property was formalized in 
|14j to capture this security notion. 

We consider a UDVS-\I / -Clv1A-adversary A, which runs in two stages: in the find stage, 
it takes two signing public keys pk s0 and pk sl and a verifying public key pk v , and outputs a 
message m* together with some state information I*. In the guess stage, it gets a challenge 
UDVS r* formed at random under one of the two keys and the information I*, and must say 
which key was chosen. The adversary has access to the signing oracles S, to the verifying oracle 
23 and - possibly - to a random oracle. It is allowed to invoke them on any message with the 
restriction of not querying m* from & or 53 in any stage. 



Definition 3 Let A be a PPTM. We consider the following random experiments, where b G 
{0, 1} and k G N is a security parameter: 



Experiment Exp^f-™^ 



(k) 



C 



V Z.Setup(k) 

(sk s0 ,pk s0 ) 3- S.SK'eyGen('P) ; (sk sl ,pk sl ) T,.SKeyGen(V), 

(sk v ,pk v ) £ H.VKeyGen(V) 

( m *,Z*) £ A 6 >*(find, V, pk s0 , pk sl , pk v ) 

6 : (m, i) — > T,.Sign(V, m, sk si ); £ <— C U {m} 
53 : (m,r,i) — > Y>.DVerify(V , 771, t, pk s j , pk v , sk v ) ; £ <- £ U {m} 

a* <— T,.Sign(V, m* , sk sb ) ; r* <— ^.Design a te(V, m*, pk sf) , a*, pk v ) 

b * 4- A®'* 3 (guess, t*,1*) 
return 1 ifb = b* and m* £ £ 
otherwise. 

Let r, q<&, q<xs G N N , e G [0, 1] N . We define the advantage of A via 



Adv^f-*- CMA ' 



(*) = Pr[Exp^ 



UDVS-*-CMA-0 



(k) = 1] - Pr[Exp^ 



UDVS-*-CMA-l 



(k) = 1] 
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1. A is a (r, q e , g^-UDVS-^-CMA-adversary if for all k G N, the experiment Exp^ s ' ,I '" CMA ()fc) 
ends in expected time less than r(k) and in this experiment A makes at most q<s(k) 
(resp. q<s(k)) queries to the oracle & (resp.. 

2. £ is (r,ge,gaj,e)-UDVS-*-CMA-secure if for any (r, q & , q^)-UD\/S-^-CMA-adversary A 
and any fceN, Adv^ S -*- CMA (A;) < s(k). 

Remark. Recently, Lipmaa, Wang and Bao [15] have identified a new security requirement for 
designated verifier signatures, that they called the non-delegatability. This property captures the 
infeasibility for a signer to delegate her authentication capacity without revealing her private 
key. In spite of its interest, we do not consider this issue in the following. Indeed, in this 
paper, we focus on UDVSs, and it is quite easy to see that, if the underlying designated verifier 
signature scheme is non-delegatable then the basic signature scheme is universally forgeable 
under a chosen-message attack. In |21j . we propose a new definition of non-delegatability for 
UDVS schemes and present some new schemes achieving this security requirement. 

2.3 Bilinear maps and computational assumptions 

The security of asymmetric cryptographic tools relies on assumptions about the hardness of 
certain algorithmic problems. Bilinear maps such as Weil or Tate pairing on elliptic curves 
and hyperelliptic curves have found various applications in cryptography (e.g. [H [5]). In the 
following, we review the definition of cryptographic bilinear maps and in order to highlight that 
our schemes apply to any instantiation of BLS and BB signatures, we do not pin down any 
particular generator, but instead parameterize definitions and security results by a choice of 
generator. 

Definition 4 A prime-order-BDH-parameter-generator is a PPTM that takes as input k G N 
and outputs a tuple (q, Gi, G2, G3, (v)> VO satisfying the following conditions: 

1. q is a prime with 2 k ~ 1 < q < 2 k ; 

2. (Gi,+), (Gr2,+) and (63,-) are groups of order q; 

3. ip : G2 — ► G\ is an isomorphism s.t. there exists a PPTM to compute ip; 
4- (•,•): Gi x G2 — ► G3 satisfies the following properties: 

(a) ([a]Q, [b]R) = (Q,R) ab for all (Q,R) G Gi x G 2 and all (a,b) G I?; 

(b) (•, •) is non degenerate (i.e. (ip(P),P) ^ 1q 3 for some P G G2^; 

(c) there exists a PPTM to compute (-,-}■ 

Let (q, Gi, G2, G3, (•,•), 1ft) be as above, P2 G G2 and let Pi = VK-^)- In margin to the 
classical Diffie-Hellman problems in the groups Gi, G2 and G3, the introduction of bilinear 
maps in cryptography gives rise to new algorithmic problems [5JQ3]. For instance, to analyze 
the security of their signatures, Boneh and Boyen [1] introduced a new computational problem, 
on which relies also the unforgeability of our scheme UDVS-BB: 

^-Strong Diffie-Hellman (^-SDH): let x G [1, q - 1]. Given I G N and {[x]P 2 , [x l ]P 2 ) G G§, 
compute a pair (Ux + m)~ 1 ]Pi, m) in Gi x — 1]. 

We will prove the unforgeability of UDVS-BB assuming the intractability of this problem under 
KEA and the one of a new ad- hoc problem (but not easier than the previous one under KEA) : 



G 



VTZi(£): let x, y be two integers smaller than q. Given £ G N, (mi, . . . , me) G [1, q\ and 

([(x + m 1 )" 1 ]P2, • • • , [(x + m^)- 1 ]P 2 ) € Gi 
compute a 4-tuple (m, R, S, T) in ([1, q — 1] \ {mi, . . . , m q6 ^}) x Gf such that 

(S, X + [m]P 2 ) = (R, P 2 ) and (T, P 2 ) = (R, Y). (1) 

The unforgeability of UDVS-BLS relies also on a new algorithmic problem (but not easier 
than the widely used computational bilinear Dime-Heilman problem): 

VTZ 2 : let x, y, z be three integers smaller than q. Given [x]Pi, [y]P2 and [z]P2, compute a pair 
(R,Q) 6 Gi x G 2 such that (R,Q) = (P 1 ,P 2 ) xyz . 

Its UDN/S-^-CMA-security relies on the decisional variant of it that we denote VIZ3. 

Definition 5 Let £ E N N and A be a PPTM. We consider the following random experiments, 
where k G N is a security parameter: 



Experiment Exp^ 1 ^ (k) 



Ft 



Experiment Exp?^ 2 



P = (g,Gi,G 2 ,G 3 ,<-,-),V)^Gen(fc) 
P 2 <*G 2 \{0 G2 };(x,y)^ll,q-lf 



r = (q > G 1 ,G 2 ,G 3 ,(;-) ) i/>) ^ Gen(£;) 
P 2 ^G 2 \{0 G2 } ;(x,y,z)^ll,q-lf 
X <- [x]^(P 2 ),Y <- [y]P 2 , Z <- [z}P 2 



R 



X <- [x]P 2 ,Y <- [y]P 2 
for i from 1 to £{k) do 

mi 4- [1, qj ; R { «- [(a; + m;)" 1 ]^) return 1 i/ (J?, Q) G Gi x G 2 



(i?,Q) A^(p,p 2 ,jf,y,z) 



(m,R,S,T) <^A{V,P 2 ,X,Y,m l ,..., 

m^ k ),R\, . . . ,Re(k)) 
return 1 if (R, S, T) G G? 

and satisfies HP 
otherwise 



and (R,Q) = (i>(P 2 ),P 2 ) xyz 
otherwise 



Let t G N N , e G [0, 1] N and let i G {1, 2}. We define the successes of A via 

Succ^UW = PrtExp^(Ar) = 1]. 

1. A is a r-'PT^j-adversary if for all k G N, i/ie experiment Exp^^/c) ends in expected 
time less than r(k). 

2. Gen is a (r, E)-"P7£j-secure-generator i//or any r-VIZi-adversary A and any k G N, 



Definition 6 Lei A be a PPTM. We consider the following random experiments, where k G N 
is a security parameter: 
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Experiment Exp^^^fe) 
P 2 ^G 2 \{O g J ; (x,y,z,t) £ [l,g-l] 4 

x <- [z#(p 2 ), y <- [y]P 2 , z <- [z]p 2 

t/d = then (12, Q) <- ([xt]^(P 2 ), [yzt~ l }P 2 ) otherwise (12, Q) £- G x x G 2 

6 £■ A((q, Gi, G 2) G 3 , (•, •), F, Z, 12, Q) 

return 1 if b = d 

otherwise 



Let t £ N N , e 6 [0, 1] N . VKe de/me tfie advantage o/.4 via 

AdvgSVfc) = Pr[Exp^-0(A ; ) = 1] - Pr[Exp^-i (fe) = x] 



1. „4 is a r-'PT^a-adversary if for all k £ N, i/ie experiment Expg^ 3 ^(A;) ends in expected 
time less than r(k). 



2. Gen is a (r, e)-"P7?.3-secure-generator if for any T-VIZ3- adversary A and any k € N, 



dv££Vfc) <e(k). 



3 Description of the new schemes 

In this section, we describe our new UDVS schemes. The general principle underlying the 
construction of UDVS-BB and UDVS-BLS is based on an elegant technique proposed by Damgard 
[H] and aimed at making public-key encryption scheme secure against (non-adaptive) chosen 
ciphertext attacks. We give in details the ideas underlying their design, since we are convinced 
that they may be of independent interest^ {e.g. for the construction of new privacy-preserving 
signature schemes). 



3.1 Design principle 

Let (G, +) be a group of prime order q and let P be a generator of G. In 1991, Damgard 
[8] presented a simple variant of the Elgamal encryption scheme in G. In his proposal, Alice 
publishes two public keys A\ = [a±]P and A 2 = [a 2 ]P and keeps secret their discrete logarithms 
a\ and a 2 . When Bob wants to privately send a message M € G to Alice, he picks uniformly 
at random an integer r € [l,g — 1] and transmits the triple (Qi,Q 2 ,C) where Qi = [r]P, 
Q 2 = [r]A\ and C = M + [r]A 2 . When she receives the ciphertext (Qi,Q 2 ,C), Alice checks 
whether the equality Q 2 = [a±]Qi holds: if it is the case, she retrieves the message M, as 
M = C — [a 2 ]Qi, otherwise she rejects the ciphertext. 

Damgard proved that if the DDH problem is hard in G, then this scheme is semantically 
secure against (non-adaptive) chosen ciphertext attacks, if we assume the so-called knowledge- 
of-exponent assumption [2]. Intuitively this assumption states that, without the knowledge of 
ai, the only way to generate couples (Qi,Q 2 ) G G 2 , verifying Q 2 = [a\]Qi, is to choose an 
integer r £ {l,q — 1] and to compute Q\ = [r]P and Q 2 = [r]Ai. 

There are many ways in which the formulation of KEA can be varied to capture this intuition 
that the only way to generate a Dime-Hellman triple is to know the corresponding exponent 
[2j [8]. Usually, this is done by saying that for any PPTM outputting such a triple, there is 

Since the publication of [22], Laguillaumie, Libert and Quisquater [12] have proposed new universal designated 
verifier signatures. The technique presented in this paper can be used to improve the efficiency of their schemes. 
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an "extractor" than can return this exponent. For our purposes, it is necessary to allow the 
adversary to be randomized as in pQ (in that case, it is important that the extractor gets the 
coins w of the adversary as an additional input, since otherwise the assumption is clearly false). 
We propose a similar definition suitable for bilinear structures. 

Definition 7 Let A and A be two PPTM's. We consider the following random experiments, 
where k G N is a security parameter: 



Experiment Exp 



kea 



(AO 



R 



h, (; -),i>) <— Gen(A;) 
{0 G2 } ;x 1 



(q, Gi,G 2 , 

P 2 ^G 2 \{0 G2 } ;x A 

(R, S]_^- A k ((q, Gi.Ga, G 3 , (■, •),^) J P 2 , [x]P 2 ) 
r <- Ak{(q, G 1 ,G 2 ,G 3 , (•, -),ip),P 2 , [x]P 2 ;w) 
return 1 if (R, S) G Gi x G 2 , ip(S) = [x]R and R ^ [r]P 2 
otherwise 



We define the advantage of A relative to A via 



Adv 



kea 

Cen,A,A 



(jfc) = Pr 



Let e G [0, if 

1. A is a e-kea-extractor for A if for all k G N, Adv^ A ^(k) < e(k) 

2. We say that the knowledge- of- exponent assumption holds for Gen if there exists a PPTM 
A such that for every PPTM A, there exists a negligible function e such that A is a 
e-KEA-extractor for A. 



3.2 Description of the protocol UDVS-BB 
3.2.1 Boneh-Boyen's signatures. 

In 2004, Boneh and Boyen [3j proposed a new application of bilinear structures to construct 
efficient short signatures. Their idea is to plug the message to be signed in the exponent and, 
in order to avoid trivial "homomorphic" forgeries, to do so in a non- linear way. For an entity 
whose private/public key pair is (u, [u]P 2 ) in [1, q — 1] x G 2 , the publication of the group element 
a = [(u+m)~ 1 ]Pi seems to be a good mean to authenticate a message m G [1, q — 1]. Indeed, the 
computation of a for a given couple (m, [n]P 2 ) is equivalent to the resolution of the so called co- 
CDH problem [5] and it seems to remain difficult even if the adversary is allowed to choose m and 
knows [(u + mi) _1 ]Pi, . . . , [(u + m s )~ 1 ]Pi in G, for some rrn G [1, q — 1] \{m} (i G [1, s]). Boneh 
and Boyen have proved that this problem is not easier than the (s + 1)-SDH problem. They also 
made the important remark that the use of a second pair of keys (v, [v]P 2 ) in [1, q — 1] xG enables 
to prove the unforgeability of the scheme under chosen message attacks, in the standard security 
model: they suggested to replace the signature a by a couple ([(it + m + rt>) _1 ]Pi,r) where r 
is picked uniformly at random in [1,^ — 1]. Finally, in order to be able to sign arbitrarily long 
messages, an hash function family f) is added to the public parameters, such that for every group 
order q output by Gen, t)(q) generates the description of a (collision resistant) hash function h 
which maps arbitrary long bit strings on elements from {l,q — 1]. 
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Algorithm UDVS-BB. Setup 
Input: k 
Output: V 

(q, Gi, G 2 , G 3 , (-, -),ip) <— Gen(fc) 

p 2 S G 2 ■ P 1 ^ ^(P 2 ) h ^ i)(q - 1) 
V^[(q,G 1 ,G 2 ,G 3 ,{-,-),iP),P 1 ,P 2 ,h] 



Algorithm UDVS-BB. SKeyGen 
Input: V 
Output: (sk s , pk s ) 

(u a ,v a )^ll,q-lf 

sk v <- (u a ,v a ) 

pk v <- ([n a ]P 2 , [v a ]P 2 ) 



Algorithm UDVS-BB. Sign 



Input: V, m, (u a ,v a ) 
Output: a 



h <— h(m) 

repeat r [1, q — 1] 

until u a + /i + f a r 7^ mod g 

5^ [{Ua + h + Var)- 1 ^ 

<r^(r,S) 

Algorithm UDVS-BB. VKeyGen 
Input: V 
Output: (sk v , pk v ) 

u b ^\l,q-l\ 
sk v <— tif, 

Pky <~ [ttfe]P 2 

Algorithm UDVS-BB. Fake 
Input: 7?, m, it 6 , (£/ a , V a ) 
Output: t 

<- [t] (il>(U a ) + [fc(m)]i>i + [r#(K)) 
Qi <- [t]Pi, Q2 +- [u b ]R, Q 3 ^R 
t <- (r,Qi,Q 2 ,Q 3 ) 



Algorithm UDVS-BB.Verify 

Input: 7>, m, (C/ a ,K), (?~, S) 
Output: b 

a<- {S,U + [h(m)]P 2 + [r]V) 

if a = {Pi,P 2 ) then b <- 1 else 6^0 

Algorithm UDVS-BB. Designate 
Input: T 7 , m, (!7 tt ,F ), £/ 6 , (r, S) 
Output: t 

[1,9-1] 

Qi <-[<]£, Q2 

t <- (r,Qi,Q 2 ,Q 3 ) 

Algorithm UDVS-BB. DVerify 
Input: m, u&, (£4, V^), 

{r,Qi,Q 2 ,Qs) 
Output: 6 

ai <- (Qi,C/a + [/i(m)]P 2 + [r]K) 
02^(^3,^2) 

a <- (Q3,np 2 ), & <- (g 2> P2) 

if a± = a 2 A j3\ = /3 2 then & <— 1 
else 6^0 



Figure 1: Description of the protocol UDVS-BB(Gen, h) 



3.2.2 The scheme UDVS-BB. 

Let V = ((g, Gi, G 2 , G3, (•,•), tp), Pi, P2) and h be as above, let (U a ,V a ) 6 G 2 be Alice's public 
key for BB signatures. The principle underlying the universal designated verifier signature 
scheme UDVS-BB is based on Damgard's idea. Let us suppose that Bob has published a public 
key Ub = [v,b]P2 and that the pair a = (r, 5) in [1, q—lj xGi is a BB signature produced by Alice, 
on a message m. If Cindy wants to designate a to Bob, she picks uniformly at random an integer 
t e [1, q — 1] and sets Q\ = [t]S, Q 2 = [t]U b and Q 3 = [t]P 2 . The quadruple r = (r, Qi, Q 2 , Q 3 ) 
is the resulting designated verifier signature on m. The protocol UDVS-BB is described with 
all the details in figure [TJ The following simple observations are intuitive arguments in favor of 
the security of the protocol. 

1. Under KEA, the equality 

(Qs,U b ) = (Q 2 ,P 2 ) (2) 
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insures Bob that Cindy knows the value t such that Q 2 = [t]Ub and Q3 = [t]P 2 - 

2. If ([2]) is satisfied, Bob is convinced that Cindy knows the group element S = [i" 1 ]^. 
The BB verification equality (5, U a + [h(m)]P 2 + [r]V a ) = (Pi,P 2 ), holds if and only if the 
equality 

(Qi, U a + [h(m)]P 2 + [r]V a ) = (Q 3 , P 2 ) (3) 

does. Therefore, if the equalities ([2]) and ([3]) are true, the quadruple r proves to Bob that 
Alice has actually signed the message m. 

3. However, this quadruple cannot convince anyone else, since it could have been produced 
by Bob himself. Indeed, if Bob samples uniformly at random (r, t) in [1, q — l] 2 and 
computes the group elements: 

Qi = [t]Pi,Q2 = M (U a + [h(m)]P 2 + [r]V a ) , Q 3 = [t]U a + [t ■ h(m)]P 2 + [t ■ r]V a , 

he produces quadruples which verify ([2]) and ([3|) and follow the same distribution as those 
produced by Cindy (namely with t = q t(u a + h(m) + v a r)). 

Remark. Given a UDVS produced by UDVS-BB, it is easy, by random scalar multiplication, 
to produce a new signature on the same message for the same public keys. It is admitted that 
weak forgery is no real threat whatsoever. 

Remark. The computational workload of UDVS-BB. DVerify for the designated verifier can be 
reduced to only two pairing evaluations and one bilinear exponentiation thanks to the knowledge 
of u by checking that Q 2 = [v,b]Q3 instead of (3\ = (3 2 . 

Remark. In the algorithm UDVS-BB. Fake, the verifier's secret key Ub is used only to compute 
Q2 = [ub]R- Therefore, the signer as well as the verifier can delegate his authenticating capacity 
(without revealing the secret key) by publishing the elements K\ = \u a -Ub]P\ and K 2 = [v a -Ub]P\ 
in G2. Indeed, the knowledge of (Ki,K 2 ) suffices to produce an UDVS 

a message m by picking uniformly at random (r,t) € [1, q — l] 2 , and computing Q\ <— \t\P\, 
Q 2 <- [t]K! + [t ■ h(m)]^(U b ) + [t ■ r]K 2 and Q 3 = [t]^(U a ) + [t ■ /i(m)]Pi + [t ■ r}ifj(V a ). Therefore, 
the scheme UDVS-BB is delegatable. 

3.3 Description of the protocol UDVS-BLS 

3.3.1 Boneh-Lynn-Shacham's signatures. 

In [5] , Boneh et al. presented the signature scheme B LS that works in any bilinear cryptographic 
context. The scheme resembles the undeniable signature scheme proposed by Chaum and van 
Antwerpen [6] and can be seen as a variant of the FDH signature scheme [3]. The protocol BLS 
is efficient, produces short signatures (for carefully chosen parameters), and is unforgeable in 
the random oracle model assuming the intractability of the co-CDH problem. 

3.3.2 The scheme UDVS-BLS. 

Let Gen be a prime-order-BDH-parameter-generator, let f r £ N N , and let fj be an hash function 
family such that for bilinear structure (q, G±, G 2 , G3, (•,•), ip) output by Gen, S)(G\) generates 
the description of an hash function H (modeled in the security analysis as a random oracle) 
which maps arbitrary long bit strings on elements from Gi. Let BLS be the associated signature 
scheme; using the same approach, it is possible to construct a new UDVS scheme compatible 
with the BLS signatures. The protocol UDVS-BLS is described with all the details in figure [2j 



11 



Algorithm UDVS-BLS. Setup 
Input: k 

Output: V 

(q,Gx,G 2 ,G 3 ,{;-)^) ^-Gen(fc) 
P 2 £ G 2 ; n r <- f r (k) ; H «(Gi) 
[(g,Gi,G 2 ,G 3 , (-,-), V>),P2,Wr,-H] 



Algorithm UDVS-BLS. Sign 
Input: V, m, u 
Output: a 

r£- {0,1}^ ; H ^H{m,r) 
S <- [ulg ; g <- (ryg) 



Algorithm UDVS-BLS. VKeyGen 
Input: 7-* 
Output: (sk v , pk v ) 

sk v = u b [l,g - 1] 
pk v = U b <- [u b ]P 2 



Algorithm UDVS-BLS. Fake 

Input: T 7 , m, pk s , sk v 
Output: r 

r £ {0, l}"' 

Qi <- [r 1 ]il(m, r) ; Q 2 <- [t ■ sk v ]pk s 
r <- (r,Qi,Q 2 ) 



Algorithm UDVS-BLS. SKeyGen 
Input: "P 
Output: (sk s , pk s ) 

sk s = u Q -3- [l,g- I] 

Pks = Ug^~ [Ug]P 2 



Algorithm UDVS-BLS.Verify 
Input: V, m, U a , (r,S) 
Output: b 
H <— H{m, r) 
s <- (H, U a ) 

if s = (S, P 2 ) then b *- 1 else 6^0 



Algorithm UDVS-BLS. Designate 
Input: V, m, pk s , (r,S), pk v 
Output: r 

t^- [1,9-1] 

Qi <- [t]S ; Q 2 <- [t-^pK 

t <- (r,Q 1 ,Q 2 ) 



Algorithm UDVS-BLS. DVerify 
Input: "P, m, pk s , (r, Qi,Q 2 ), sk. 
Output: 6 

H^H(m,r) s <- ([sk^ pk s ) 
if s = (QuQ 2 ) then 6 <- 1 
else 6^0 



Figure 2: Description of the protocol UDVS-BLS(Gen, / r , ^) 



Let fc E N, let V = ((g, Gi, G 2 , G 3 , (■, ■},tp) > P 2 ,H) be some output of BLS.Setup(fc) and let 
U a = [u a ]P 2 {resp. U b = [u b ]P 2 ) be Alice's (resp. Bob's) public key output by BLS.KeyGen(P). 
BLS signatures are elements S = [u a ]H € Gi, where the group element H is the hash value of 
the signed message m and (potentially) some random salt (of size n r = f r (k)). The discrete 
logarithm of H is unknown to all users, therefore, whence the signature S is randomized as 
above: Q\ = [t]S for some t S [l,g — 1], it suffices to reveal the element Q 2 = to 
prove, in a non-transferable way, to Bob that Alice actually signed the message m. The tuple 
(P2, U a , U b , H, (Qi, Q 2 )) is indeed a bilinear Diffie-Hellman tuple which could have been pro- 
duced by using secret information from Alice or Bob, but not otherwise under the assumption 
that the computational bilinear Diffie-Hellman problem problem is intractable. 

Remark. The protocol UDVS-BLS is delegatable [TS]. Indeed, in the algorithm UDVS-BLS. Fake, 

the secret key u b from the designated verifier is only used to compute the element Q 2 = [t-u b ]U a G 
G 2 and the signer as well as the verifier can delegate their authenticating capability (without 
disclosing their secret key) by publishing the element [u a ■ u b ]P 2 . 
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4 Security results 



In this section, we state the security properties of our schemes. 
4.1 Unforgeability of the scheme UDVS-BB 

The theorem below states that the protocol UDVS-BB(Gen, f)) is UDVS-EF-CMA-secure assuming 
the KEA assumption, the collision-resistance of f) and the intractability of the problem i'-SDH in 
Gen, for all polynomial I € N N . Since KEA is a somewhat strange and impractical assumption, 
it would be better if we could do without it, as it has been recently done by Gj0steen [9] 
for Damgard's encryption scheme. In the following theorem, we prove the unforgeability of 
UDVS-BB to VH\{1) without KEA. Finally, since the protocol UDVS-BB is publicly verifiable, 
we consider only UDVS-EF-CMA-attackers that do not make queries to the verifying oracle 53. 

Theorem 1 Let Gen be a prime- order- BDH- generator and fj be an hash-function family of 
codomain indexed by the orders of groups generated by Gen. 

1. If the scheme BB(Gen, f)) is EF -CM A- secure against polynomial adversaries, then under the 
KEA assumption in Gen, the scheme UDVS-BB(Gen, f)) is UDVS-EF-CMA-secwe against 
polynomial adversaries. 

2. If for all polynomial t, Gen is (.-SDH-secure against polynomial adversaries and if f) is 
an hash-function collision-resistant against polynomial adversaries then, under the KEA 
assumption in Gen, the protocol UDVS-BB(Gen, $j) is UDVS-EF-CMA-secure against poly- 
nomial adversaries. 

3. Let (r,qe) € J"(N, N) 2 and let A be a (T,q & ,0)-DD\/S-EF-CMA-adversary against the 
scheme UDVS-BB(Gen, fj). There exist t',t" £ JF(N,N) verifying, 

r' = T + q & - (TezpCGi) + O(l)) and r" = r + 0(1), 

a t' ' -V1Zi(qo)-adversary B against Gen and a r" -Co\\\s\on-adversary C against rj such that, 

9 SSnr.^^ 1 ^®) 4- C!„rr Collision > c llrr UDVS-EF-CMA 

Proof. 

1. The algorithm B which try to forge a signature BB, takes as input some public parameters 
V and a signing public key pk s . It computes a verifying public key f/& = [^b]P2 by running 
the algorithm UDVS-BB. VKeyGen'('P) and then executes the algorithm A on the entries V, 
pk s and Ub- It forwards A's signature queries to its own signing oracle and the simulation 
of the verifying oracles is straightforward since the protocol UDVS-BB is publicly verifiable. 

Let us denote A 1 the algorithm whose execution is identical to the one of A, but which 
returns the pair (Q-i,Q2), when A returns r* = (r, Q±, Q2, Q3). If -4's output is a valid 
forgery, then the 4-tuple (ip(P2), [ui„]ip(P2), Q3, Q2) is a valid Diffie-Hellman 4-tuple. As- 
suming KEA, there exists A' which taken as inputs *4"s random tape and entries, outputs 
t 6 [1, q — 1] such that Q3 = \t\P2 et Q2 = [t]Ub with a probability negligibly close to the 
success of A. 

B run the algorithm A' to get this value t and outputs the pair a* = (r, [t _1 ]Qi) which is 
a valid forgery for the scheme BB if r is a valid forgery and Q3 = [i]i"2- The probability of 
success of B is therefore negligibly close to the one of A and its running time is polynomial. 
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2. It is a simple consequence of the first part of the theorem and the security theorem from 
®- 

3. Let Gen be a prime-order-BDH-generator, q&,r G ^(N, N) and let A be a (r, q&,0)- 
UDVS-EF- CM A- adversary against UDVS-BB(Gen). It is readily seen that A can be con- 
verted into an attacker for the simplified scheme defined without the hash function h or 
into an attacker C against the collision resistance of f). For the sake of simplicity, we will 
assume that the scheme works directly on messages m G [1, q\. 

We will construct an algorithm B which takes as inputs (<?, Gi, G2, G3, (■, -),tp) generated 
by Gen (k), a vector (mi, . . . , m ffe(fc) ) G [l,g] 9e(fc) , (P 2 ,X,Y) G G| and (R h . . . ,R q@(k) ) G 

Gf (fc) satisfying ifc = [(aj + mj) -1 ]^ for all i G [l,g 6 (fc)l wi t h A = et X = [x]P 2 , 

outputs a 4-tuple 

(m,R,S,T) G ([l ig -l]\{mi,...,m te(fc) }) x G? 

which satisfies 

Our method of proof is inspired by Shoup [19] : we define a sequence of games Exp l5 . . . , 
Exp 4 starting from the actual UDVS-EF- CM A- adversary A and modify it step by step, until 
we reach a final game whose success probability has an upper bound related to solving 
the VR-i{q&) problem. All the games operate on the same underlying probability space: 
the public and private keys of the signature scheme and the coin tosses of A. 

Expi B\ plays the role of the challenger in the experiment ExpyQV5l|g~^ MA of the defini- 
tion [2j 

Initialization k 

V 3- UDVS-BB.Setup(/c), 

(sk s ,pk 5 ) 3- UDVS-BB.SKeyGen('P), (sk c , pk c ) 3 UDVS-BB.VKeyGen(7>) 
run A{V, pk 5 , pk c ) ~* (m*, r*). 
Simulation of the oracles 

• G(m) UDVS-BB.Sign(-p,m,sk s ). 



In the random experiments Expj, for i G [1, 5], we denote by Fj, the event "m* ^ Qq 
and UDVS-BB.DVerify(P,m*,pk s ,T*,pk c ,sk c ) = 1". 

By definition, we have Pr[F x ] = Succ[jg^:|^ MA (Jfe). 

Exp2 B 2 modify the previous simulation by inserting the bilinear structure underlying the 
instance of the problem VR-i(qe) to solve in the public parameters V . 

Initialization k 

V<-[(q,G 1} G 3 ,G 3 ,{;-),il>),PL,F2], 

{u a ,v a ,u b ) 3 [l,q- l] 3 , (U a ,V a ,U b ) «- {[u a ]P 2l [v a ]P 2 ,[u b ]P 2 ) 
run A[P, {U a , V a ), U b ) ~> (m*,r*). 
Simulation of the oracles 

• 6(m) UDVS-BB.Sign(P,m,(u a ,u a )). 



The distribution of *4's entries is unchanged and we have Pr[F2] = Pr[Fi]. 

Exp3 The algorithm B3 precomputes the signatures given to the adversary A and then 
uses his knowledge of the secret key u a or v a in the chameleon hash function to 
answer A's signature queries. The algorithm B3 distinguishes two types of forgers: 
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Type 0: the forgers which 

(a) either make a signature query on m such that m = —u a ; 

(b) or return a forgery (m*, r*) with r* = (r*, Q*, Q 2 , Q3), such that m*+v a r* ^ 
{mi,...,m 9e(fe) }. 

Type 1: the other forgers, namely those which 

(a) do not make a signature query on m such that m = —u a ; 

(b) and return a forgery (to*,t*) with r* = (r*, Q*, Q 2 , Q3), such that m* + 
v a r* = rrii for some i G [1, 9s(&)]- 

The adversary .A is necessarily of one of these two types and the algorithm B4 picks 
uniformly at random a bit (3 € {0, 1}. This algorithm will be able (at the end of the 
simulation) to solve the VTZi(q&) problem if the adversary A is of type j5. 

Initialization k 

V <- [(q, Gi, G a , G 3l (•, ■>, V0> ft.ft], c «- 1, i <- 0, /3 3 {0, 1} 
(u a ,v a ,u b ) ^{l,q-lf ; (£/~ , V a , U b ) «- ([u„]P 2 , K]P 2 , MP2) 

for z from 1 to qe(k) do 

if p = then Tj <- [(u„ + /i i )" 1 ]Pi else <- [(«„ + /i i )" 1 ]Pi 
run A(V, (U a , V a ), U b ) - (m*,r*). 
Simulation of the oracles 

• 6(771): if (3 = and [m]Pa = — U a then £ < m mod g 

if (3 = then r <— (/i c — to) • t;" 1 mod g, S 1 <— T c 

else 7- <— (u a + 777) ■ h~ Y mod q, S <— [r _1 ]T c 
if r = then return J_ else c <— c + 1. return (r, 5). 



In both cases, the signatures produced by B3 are perfectly distributed. We have 
indeed (S, U a + [m]P 2 + [r]V a ) = (T c , U a + [h c ]P 2 ) = (Pi,P 2 ), for /3 = and (S, U a + 
[m]P 2 + [r]V a ) = ([r- l ]T c , [r ■ h c ]P 2 + [r]V a ) = (P 1 ,P 2 ) for 0=1. 
In the random experiment Exp i5 let us denote for i € {3,4}, Tj the event U A is of 
type /3" . The algorithm ,63 aborts the simulation only if A is of type 1 — (3. 
Therefore, we have Pr[F3|T3] = Pr[F2]. 

Exp4 B4 replace in the following the public keys given as inputs to A and the precomputed 
signatures (hi, Si) by elements coming from the instance of the problem to solve. 

Initialization k 

V 4- [(q, Gi, Ga, G 3 , <•, ■>. VO, Pi, ft], c <- M <- 0, /3 «^ {0, 1} 
if /3 = then ([/„, £/ fc ) 4- (X, Y), v a 3- [1, g - 1], F a 4- [ Ub ]P 2 

else (K,C/fc) <- (X,y), Ua 3 [l,g-lj, C/ Q 4- [u b ]P 2 
(hi,...,h qe(k) ) 4- (mi ) ... ) m, e(fc) ) 
(Si, . . . , S qe ( k )) <— (Pi, ... , P ge (fc)) 
run .4(P, (l/ , K), C/ fc ) - (777*, r*). 

In the random experiment Exp 3 , if /3 = (resp. if /3 = 1) the knowledge of (u a , Ub, Vb) 
(resp. of (v a ,Ub,Vb)) is not necessary to answer A's signature queries. Hence, #4 
can still answer A's queries and since the distribution of the public keys and the 
precomputed signatures is unchanged, we get 

Pr[F 4 |T 4 ] =Pr[F 3 |T 3 ]. 

Eventually, when A returns the pair (m*,T*), with t* = (r*, Q\, Q 2 , Q\), the algo- 
rithm B can solve the instance of the problem VHi(qe(k)): 
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• if A is of type 1 and returns a forgery on a message m* satisfying the relation 
(rrii — m*) ■ (r*)" 1 = x mod q or if A is of type and has made a signature 
query on a message m such that m = —x, then B4 can retrieve the discrete 
logarithm of X in base P2 and it can trivially produce a triple (R, S, T) verifying 
the equality ([TJ); 

• otherwise, B computes m = m* + r*v a mod q and stops its execution by out- 
putting the triple (m, R,S,T) G [1, q - 1] x G2 x Gi x G3 where m = m* + r*v a 
mod q R = Q* 3 , S = Q\ and T = Q\. 

End of B = B/i's execution (m* , r*) 

(r'.Qi.f&QS)*-!-* 

if /3 = 1 and 377^, [(m.j — to*) ■ (r*) 1 ]P2 = C^a do £ <— (to, — to*) ■ (r*) 1 

if then [1,9-1] \ {mi,... ,ro fle(fc) } ;r«^-[l,g-l] 

i? «- [r]Pi ; S [r(£ + m)- 1 ]P 1 ; T «- [r]ip{Y) 
if f3 = £ = then m <— m* + r*i; a mod g 

P *— Q3 i <— ; r <— 
return (m,R,S,T). 

Clearly, if the event F4 n T4 occurs, the algorithm B = B/± returns a 4-tuple (m, R, S, T) 
which satisfies (HJ and since Pr[T4] = 1/2, we get 

9 enrn^ife) , c lirr Collision > q„ UDVS-EF-CMA 

z aucc Gen g -f- aucc^ c aucc UDVS-BB,.4 • 

The algorithm B runs in time less than r(k) + <76(&)(^exp(Gi) + 0(1)), which concludes 
the proof. 



4.2 Unforgeability and anonymity of the scheme UDVS-BLS 

We prove (in the random oracle model) that UDVS-BLS is UDVS-EF-CMA-secure under the 
assumption that the problem VR-2 is intractable in Gen. It is worth noting that this problem is 
at least as hard as the computational bilinear Diffie-Hellman problem underlying the schemes 
from |14} I20j. We prove also (again in the random oracle model) that the protocol UDVS-BLS 
is UDVS-^-CMA-secure under the assumption that the decisional variant of this problem is 
intractable in Gen. 



Theorem 2 Let f r 6 ^"(N, N) and let Gen be a prime-order-BDH-generator. 
Let (qe,qmQSj,r) £ ^(N,N) 4 . 

1. For all (r, ge^oj) -UDVS-EF-CMA- adversary A against UDVS-BLS(Gen, f r , O^) where 
is a q^-random oracle, there exists t' £ ^"(N, N) verifying 

t' <t+ ( qS j + q& + 2(?2j + 2)(T exp (G 1 ) + O(l)) 

and a r' ' -VIZ2- adversary B against Gen such that 

C lirr UDVS-EF-CMA 
a„„VR 2 ^ &UCC UDVS-BLS A 
SUCC Gen,i3 - " 



(1 + 6 -q G - 2fr)(q m + l) 



2. For all (r, q&, q<xj) -UDVS-'P -CM k-distinguisher A against UDVS-BLS(Gen, f r , O^) where 
Of, is a q^-random oracle, there exists r' £ ^"(NjN) verifying, 

t < r + ( qfi + q & + 2q<s + l)(rezp(Gi) + 0(1)), 
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and a r' ' -VlZ^-distinguisher B against Gen such that 



AVan Gen,S - 



Avan 



UDVS-^-CMA 
UDVS-BLS,^4 



qe + gg? 



2 



Proof. 



1. The algorithm £>, which takes as input (q, Gi, G2, G3, (•,•), tp) output by Gen(k), X £ 
Gi and (P2,Y,Z) E G| and tries to output -R2) € Gi x G2 such that {Ri^R^) = 
[xyz]{Pi, P2), where Pi = x/j(p2), X = [x]P±, Y = [y]P2 and Z = [z]P2- Our exact security 
reduction relies on two clever techniques from [7J [T7] : 

• Following a well-known technique due to Coron [7J, a random coin with expected 
value A € [0, 1] decides whether B introduces the challenge in the answer to the 
random oracle or an element with a known preimage. For the optimal value of A, 
this introduce the (small) loss factor (1 + 6 • <?© ■ 2* r ) in the success probability. 

• Using an approach due to Ogata, Kurosawa and Heng [T7j , introduced to analyze the 
security of Chaums undeniable signatures, we do not need a decisional oracle to sim- 
ulate the verification queries. The idea is that, unless UDVS-BLS is not unforgeable, 
all verification queries necessarily involve designated verifier signatures that were 
obtained from signing oracles (and can be readily checked) or that are invalid. £>'s 
strategy is to guess which verification query involves a forged signature and reject 
signatures involved in all other queries. This is done at the expense of losing the 
factor (gjj + 1) in B's probability of success. 

For the ease of presentation, let us (at first) assume that B has an access to a decisional 
oracle for the problem V1Z?, (following Okamoto-PointchevaPs so called gap-problems |18j). 

Expi B\ plays the role of the challenger in the experiment Expypy5l|LS C 4 A °f the- defi- 
nition [2l in the random oracle model. It plugs the bilinear structure underlying its 
problem instance in the public parameters V . B\ simulate the random oracle 
by storing the queries made by A into a list denoted H-List (which contains at most 
(qsj{k) + q&(k) + qsa(k) + 1) 4-tuples). B\ manage a counter c (with initial value 0) 
and for each signing, verifying or hashing query, B\ executes the routing Message. 

Initialization k 



c <- 

(u a ,u b )£- [1,<7-1J 2 

(u a ,u b ) «- {[u a }p 2 , K]p 2 ) 

run A(V,U a ,Ub) ~* (m*,r*). 




return c. 

The oracle queries are then simulated by B\ in a classical way: 
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Simulation of the oracles 

• Of,(m,r): if 3R, (m,r,R,?) G H-List 

then return R 

else a < — [1, g — 1], i <— Message(m) 

if r G £j then R <- [a] Pi else i? <- [a]X 
H-List <- H-List U {(m„ r, i?, a)}, 
return R 

• S(m): i <— Message(m) 

if £j = then return J_ 

else r ^ d ; A <- \ {r} 

Osy(m,r) ; find (m,i,r, R,a) in H-List 

return (r, S 1 ) 

• QJ(m,r): i <— Message(m), 

(r,Qi,Q 2 ) <- t 

Osj(m,r) ; find (rrii,r,R,a) in H-List 
return Pft 3 (i?, C/ a , 17&, Qi, Qa). 
In the random experiment Exp,j, for i S {1,2}, let us denote Fj, the event 

"m* ^ Q s and UDVS-BLS.DVerify(P, m* pk s , r*, pk c , sk c ) = 1." 

Compared to the definition [2j the distribution of A's entries is unchanged and the 
simulation of the oracles and 53 is perfect. Moreover, B\ answers without aborting 
to all signature queries with probability \ qe ( k \ and therefore we have 

PrlF^A^^Succljg^ir-sXW- 

Exp2 02 replace in the following the public keys U a and Uj, furnished to A by the values 
Y and Z of unknown discrete logarithms (in base P2). 
Initialization k 

V ^l(q,& 1 ,G 2 ,G s ,(;-),i>),P 2 ,n r ], 

(U a ,U b )<-(Y,Z) 

run A(V,U a ,Ub) ~» (m*,r*). 

When A returns the pair (m*, r*), with r* = (r*, Q^, the algorithm B2 executes 
a hash query C^(m*,r*) and gets i E [0, c] such that m* = m,j and (m*,r*,R,a) in 
H-List. The algorithm £>2 aborts its execution (by returning _L) if r* E £j. Otherwise, 
#2 returns the pair ([a" 1 ]^, Q2). 

End of B = Bs's execution (m*, r*) 
(r*,Qi,QS)<-r* 
i <— Message(m) 

O a (ro,r) 

find (m,i,r, R,a) in H-List 
if r* G £j then return _L 

else return ([a _1 ]Q*, Q%). 

The probability that r* ^ £j is independent from i and equal to 

q e (k)-l 

F(X) = [A(l-2- n "-)] 9s(fc) + (l-A) [A(l-2- n 0?. 

By the simulation, if r* ^ £j and if the event F2 holds, we have R = [ct]X and if r* is a 
valid forgery {Q\,Q%) = (P 1: P 2 ) xyza * . Therefore, the pair ([a _1 ]Q^Q$) is the solution 
of the problem VIZ2 instance. 
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The security analysis shows that B = B2 satisfies 



SuCC^(fc) > A-(^) F(A)Succ yDVS-EF s CMA ( , ) 

and runs in time at most r' < r + (q^ + q& + q<s + l)(7e X p(Gi) + 0(1)) + ?exp(G3) while 
making at most q<n(k) queries to the decisional oracle VIZ3. An easy computation gives 
proves the existence of a value Ao such that Ag 6 ^ F(Xq) > (1 + 6 • q<s ■ 2$ r ) (see [7]). 

In this reduction, if the decisional oracle for the problem VIZ3 returns 1 for a 5-tuple 
(R, Y, Z, Qi, Q2) associated to a verifying query on a pair (mi, (r, Q\, Q2)) and if r £ Ci, 
then the pair ([a~ 1 ]Qi, Q2) is a solution of the problem VR-2 and there is no need to 
continue the execution of A. By using this remark, it is possible to prove the resistance 
to forgery of the scheme to the problem VIZ2 without using the decisional oracle. 

A verifying query (made by A or B at the end of its execution) on a pair (mi, (r, Q\, Q2)) 
is said special if r does not belong to the list Ci. Let us denote A the event: "One special 
verifying query is made in the random experiment Exp 5 ", Aj the event "The first special 
verifying query in the experiment Exp 5 is the i-th", for i G [l,9aj(fc)] and A qv ^ +1 the 
event "The first special verifying query in the experiment Exp 5 is the one on the pair 
(m*,r*)". We have 

gsnW+i 

A = Ai et F 2 C A. 

i=l 

where F2 is the event "UDVS-BLS.DVerify^, m*, pk s ,r*, pk c ,sk c ) = 1, m* = rrn £ Q& and 

r* i A." 

In this variant, the algorithm B picks uniformly at random an integer v € [1, q<^{k) + 1] at 
the beginning of its execution. For each verifying queries on (mj, r) where r = (r, Qi, Q2), 
B gets the 4-tuple (nii,r, R,a) corresponding to the hash value of (rrii,r) and 

• if r € Ci then B returns 1 if and only if (Q\, Q2) = (ip(U a ), Ub) a ; 

• if r £ Ci and if the verifying query is not the f-th, then B returns 0; 

• if r ^ Ci and if the verifying query is the v-th, B stop .A's execution and returns the 
pair ([a]Q 1 ,Q 2 ). 



If the event A„ occurs then the simulation of the oracles done by B until the v-th verifying 
query is indistinguishable from the previous one and ([a]Qi, Q2) is actually the solution 
to the instance (P2,X, Y, Z) of the problem VTZ2- Consequently, we have 

9to(fc)+l 92r(fc)+l 
Succ^ B (fc)> Yl Pr[A,] • Pr[z = = - 1 ^ Pr[A|] 

Pr[A] 
qx(k) + 1 
> Pr[F^] 
" qx(k) + l 



This variant of B does not make any call to the oracle DBDH and its execution time is 
increased by at most one exponentiation in the group G3 by each query to the oracle 53. 
This gives the claimed result. 
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2. The proof is more or less routine (see |14^17| for instance) and therefore left to the reader. 

Remark. If the public verification is desirable in an application (e.g. to design a UMDVS 
scheme) or if the anonymity property is not necessary, the unforgeability of the protocol 
UDVS-BLS can be reinforced. It is indeed possible to add a fourth element to the signature 
(namely Qs = [t~ 1 ]P2 £ G2 allowing the public verification) in such a way that the scheme 
obtained is really close to the protocol UDVS-BB. Since a designated verifier signature for the 
protocol UDVS-BLS can be readily derived from one for this scheme and since the underlying 
signature scheme is the same, we get immediately that forging a signature for the latter scheme 
is at least as hard as for UDVS-BLS. Under the knowledge-of-exponent-assumption in G2, we 
can also prove, in the standard security model, the resistance to forgery of the scheme assuming 
only the EF-CMA-security of the underlying signature scheme BLS. 

5 Extension of the schemes to the Multi-verifier setting 

At Crypto'03 rump session, Desmedt opened the question to allow several designated verifiers 
in designated verifier signatures. The first step towards this problem was made in |13j with the 
introduction of the multi designated verifiers signature primitive and some concrete realizations 
of it. The notion of universal multi designated verifier signatures was naturally proposed shortly 
afterwards in [16j . 

5.1 UDVS-BB 

Let n G N. The scheme UDVS-BB can be seen as a "discrete-log two-party ring signatures" 
and therefore, following the generic construction from [13] , it can readily be extended into a 
universal n-designated verifier signature schemes: the algorithm VKeyGen remains unchanged 
and in the signing algorithm, the verifying public key pk v is simply replaced by the sum of the 
n verifying public keys 

pk vl H h pk Vn = [sk vl H h sk vn ]P 2 . 

Using a multi-party computation (for instance) and the algorithm UDVS-BB. Fake, the desig- 
nated verifiers can cooperate to produce an n-designated verifier signature from pk s to the keys 
(pk vl , . . . , pk v ,„). This fact, with the source hiding property of UDVS-BB ensure the same prop- 
erty for the multi-user protocol. Finally, since the algorithm UDVS-BB. DVerify is public (i.e. 
does not require the verifying secret key) the algorithm DVerify is identical in the multi-user 
setting with the verifying public key pk v replaced again by the sum of the n verifying public 
keys pk vl + ■ • • + pk v „. In particular, it is very efficient and does not require interaction between 
the designated verifiers. It is worth noting, that in order to avoid well-known rogue key attacks, 
the users should prove the knowledge of their secret key (in the registered public key model, for 
instance) . 

5.2 UDVS-BLS 

The scheme UDVS-BLS is not publicly verifiable and therefore it does not enter in the generic 
construction proposed in [13]. However, it is possible to adapt this scheme in order to design 
a universal n-designated verifier signature scheme for all integer n > 1. With the previous 
notations, suppose that Alice (resp. the n verifiers) has published a public key U a = [u a ]P2 
(resp. £/&. = [i£f>J-P2 for i € [l,n]) and that the pair a = (r,S) S [l,q — 1] x Gi is a signature 
BLS produced by Alice on a message m. If Cindy wants to designate a to the set of the n 
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verifiers, she picks uniformly at random an integer t £ — 1] and sets Qo = [t]S and for 
all i € Qi = [i -1 ]^- The (n + l)-tuple r = (r, Qo,Qi, ■ ■ ■ ,Qn) is the multi-designated 

verifier signature on m. 

The pairing insures the correctness of the scheme since the i-th verifier can check the con- 
sistency of the multi-DVS by checking for all j £ [1, «1 \ {i} if the equality (ip(Uj),Qi) = 
(tp(Ui),Qj), holds and then ascertain its validity thanks to its knowledge of its secret key by 
verifying the equality: (Qo,Qi) = ([u bi ]H(m,r),U a ). 

The security properties of the scheme UDVS-BLS(n) are similar to those of the scheme 
UDVS-BLS. In the security reduction of unforgeability, a factor 1/n is lost. This factor corre- 
sponds to the bet made by the algorithm B on the public key that will not corrupt the adversary 
A. Once this choice has been made, the proof is identical to the one of the theorem [2] and we 
can easily prove the unforgeability and the anonymity of this scheme assuming the intractability 
in Gen of the problems VR-i and VIZ3 (respectively). 
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